Closed
Bug 884459
Opened 11 years ago
Closed 11 years ago
Heap-use-after-free in nsTArray_base<nsTArrayInfallibleAllocator>::Length()
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
Tracking | Status | |
---|---|---|
firefox22 | --- | disabled |
firefox23 | - | disabled |
firefox24 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: attekett, Assigned: padenot)
References
Details
(5 keywords, Whiteboard: [adv-main24-])
Attachments
(2 files, 1 obsolete file)
386 bytes,
text/plain
|
Details | |
987 bytes,
patch
|
ehsan.akhgari
:
review+
|
Details | Diff | Splinter Review |
Tested on:
OS: Ubuntu 12.04
Firefox: ASAN debug-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-dbg-asan/1371553271/
To reproduce you might need to hit refresh few times after opening the repro-file in browser.
ASAN-report:
==22795== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fc6b99799c0 at pc 0x7fc6d324094a bp 0x7fc6a80861f0 sp 0x7fc6a80861e8
READ of size 4 at 0x7fc6b99799c0 thread T23
#0 0x7fc6d3240949 in nsTArray_base<nsTArrayInfallibleAllocator>::Length() const /builds/slave/m-cen-l64-dbg-asan-00000000000/build/obj-firefox/toolkit/xre/../../dist/include/nsTArray.h:363
#1 0x7fc6d33400b8 in nsTArray_base<nsTArrayInfallibleAllocator>::IsEmpty() const /builds/slave/m-cen-l64-dbg-asan-00000000000/build/../../../dist/include/nsTArray.h:368
#2 0x7fc6d467450a in mozilla::MediaStreamGraphImpl::PrepareUpdatesToMainThreadState(bool) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:913
#3 0x7fc6d4675d49 in mozilla::MediaStreamGraphImpl::RunThread() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1124
#4 0x7fc6d4684e88 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1223
#5 0x7fc6d656bb3b in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/xpcom/threads/nsThread.cpp:626
.
.
.
freed by thread T0 here:
#0 0x43b3c5 in __interceptor_realloc ??:0
#1 0x7fc6de3cc4ba in moz_xrealloc /builds/slave/m-cen-l64-dbg-asan-00000000000/build/memory/mozalloc/mozalloc.cpp:86
#2 0x7fc6d3325013 in nsTArray_base<nsTArrayInfallibleAllocator>::EnsureCapacity(unsigned int, unsigned int) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/../../dist/include/nsTArray-inl.h:167
#3 0x7fc6d467c529 in nsAutoPtr<mozilla::ControlMessage>* nsTArray_Impl<nsAutoPtr<mozilla::ControlMessage>, nsTArrayInfallibleAllocator>::AppendElements<mozilla::ControlMessage*>(mozilla::ControlMessage* const*, unsigned int) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/../../dist/include/nsTArray.h:1044
#4 0x7fc6d4677a9c in mozilla::MediaStreamGraphImpl::AppendMessage(mozilla::ControlMessage*) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1470
#5 0x7fc6d5d95ef0 in mozilla::dom::AudioParamBinding::setValueAtTime(JSContext*, JS::Handle<JSObject*>, mozilla::dom::AudioParam*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/obj-firefox/dom/bindings/AudioParamBinding.cpp:118
.
.
.
Updated•11 years ago
|
Updated•11 years ago
|
Assignee: nobody → paul
Updated•11 years ago
|
Flags: sec-bounty?
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox22:
--- → disabled
status-firefox23:
--- → affected
status-firefox24:
--- → affected
status-firefox-esr17:
--- → unaffected
Comment on attachment 764775 [details] [diff] [review]
patch
Review of attachment 764775 [details] [diff] [review]:
-----------------------------------------------------------------
::: content/media/MediaStreamGraph.cpp
@@ +1468,5 @@
> }
>
> + {
> + MonitorAutoLock lock(mMonitor);
> + mCurrentTaskMessageQueue.AppendElement(aMessage);
mCurrentTaskMessageQueue is supposed to be main-thread only, so why would this be necessary?
Assignee | ||
Comment 3•11 years ago
|
||
Well, |mCurrentTaskMessageQueue.IsEmpty()| is called on the MSG thread in MediaStreamGraphImpl::PrepareUpdatesToMainThreadState, which is called from MediaStreamGraphImpl::RunThread. Maybe this is our bug, then, I don't know MSG well enough yet to be sure.
[1]: http://mxr.mozilla.org/mozilla-central/source/content/media/MediaStreamGraph.cpp#919
Comment 4•11 years ago
|
||
That's a bug that I've put in then <http://hg.mozilla.org/mozilla-central/rev/6e264b512357> :(
Not sure how best to fix it though...
Updated•11 years ago
|
tracking-firefox23:
--- → +
tracking-firefox24:
--- → +
Well, I reviewed it...
I think we just don't need to check !mCurrentTaskMessageQueue.IsEmpty(). It doesn't matter if there are pending messages from the main thread to the graph.
Comment 6•11 years ago
|
||
If that works, then great! I don't remember why I added that check, could be that was just a mistake.
Assignee | ||
Comment 7•11 years ago
|
||
This is green locally on content/media/test and content/media/webaudio/test.
Attachment #766043 -
Flags: review?(roc)
Assignee | ||
Updated•11 years ago
|
Attachment #764775 -
Attachment is obsolete: true
Attachment #764775 -
Flags: review?(roc)
Comment 8•11 years ago
|
||
Comment on attachment 766043 [details] [diff] [review]
patch
Review of attachment 766043 [details] [diff] [review]:
-----------------------------------------------------------------
OK, I wrote this code, so, r=me. :-) Thanks!
Attachment #766043 -
Flags: review?(roc) → review+
Comment 9•11 years ago
|
||
Please land the test case as a crashtest alongside with the patch. Also, since this only happens on m-c you don't need sec-approval. It would be amazing if you can land this before the uplift (Monday.)
Comment 10•11 years ago
|
||
Comment 11•11 years ago
|
||
Target Milestone: --- → mozilla24
Assignee | ||
Comment 12•11 years ago
|
||
Somehow this did not get RESOLVED FIXED during the m-i -> m-c merge.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty+
Comment 15•11 years ago
|
||
No longer tracking for FF23
Updated•11 years ago
|
Whiteboard: [adv-main24-]
Updated•11 years ago
|
Group: core-security
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•